yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Huge IIOHelper cleanup, removes some overlap with IHostingEnvironment, much less usages of IIOHelper and instead just use what is already available on IHostingEnvironment

Browse Source
This commit is contained in:
Shannon
2020-04-03 11:03:06 +11:00
parent 1224c97f07
commit 7e2d0902af
70 changed files with 436 additions and 415 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
src/Umbraco.Web/Security/AppBuilderExtensions.cs
View File

@@ -14,6 +14,7 @@ using Umbraco.Core;
using Umbraco.Core.Cache;
using Umbraco.Core.Configuration;
using Umbraco.Core.Configuration.UmbracoSettings;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;
using Umbraco.Core.Mapping;
using Umbraco.Core.Models.Identity;
@@ -36,9 +37,11 @@ namespace Umbraco.Web.Security
/// </summary>
/// <param name="app"></param>
/// <param name="services"></param>
/// <param name="mapper"></param>
/// <param name="contentSettings"></param>
/// <param name="globalSettings"></param>
/// <param name="userMembershipProvider"></param>
/// <param name="passwordConfiguration"></param>
/// <param name="ipResolver"></param>
public static void ConfigureUserManagerForUmbracoBackOffice(this IAppBuilder app,
ServiceContext services,
UmbracoMapper mapper,
@@ -75,9 +78,9 @@ namespace Umbraco.Web.Security
/// <param name="app"></param>
/// <param name="runtimeState"></param>
/// <param name="globalSettings"></param>
/// <param name="userMembershipProvider"></param>
/// <param name="customUserStore"></param>
/// <param name="contentSettings"></param>
/// <param name="passwordConfiguration"></param>
/// <param name="ipResolver"></param>
public static void ConfigureUserManagerForUmbracoBackOffice(this IAppBuilder app,
IRuntimeState runtimeState,
@@ -143,6 +146,8 @@ namespace Umbraco.Web.Security
/// <param name="userService"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySettings"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <returns></returns>
/// <remarks>
/// By default this will be configured to execute on PipelineStage.Authenticate
@@ -153,10 +158,10 @@ namespace Umbraco.Web.Security
IUserService userService,
IGlobalSettings globalSettings,
ISecuritySettings securitySettings,
IIOHelper ioHelper,
IHostingEnvironment hostingEnvironment,
IRequestCache requestCache)
{
return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, userService, globalSettings, securitySettings, ioHelper, requestCache, PipelineStage.Authenticate);
return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, userService, globalSettings, securitySettings, hostingEnvironment, requestCache, PipelineStage.Authenticate);
}
/// <summary>
@@ -168,7 +173,8 @@ namespace Umbraco.Web.Security
/// <param name="userService"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySettings"></param>
/// <param name="ioHelper"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <param name="stage">
/// Configurable pipeline stage
/// </param>
@@ -179,14 +185,14 @@ namespace Umbraco.Web.Security
IUserService userService,
IGlobalSettings globalSettings,
ISecuritySettings securitySettings,
IIOHelper ioHelper,
IHostingEnvironment hostingEnvironment,
IRequestCache requestCache,
PipelineStage stage)
{
//Create the default options and provider
var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySettings, ioHelper, requestCache);
var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySettings, hostingEnvironment, requestCache);
authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings, ioHelper, securitySettings)
authOptions.Provider = new BackOfficeCookieAuthenticationProvider(userService, runtimeState, globalSettings, hostingEnvironment, securitySettings)
{
// Enables the application to validate the security stamp when the user
// logs in. This is a security feature which is used when you
@@ -199,7 +205,7 @@ namespace Umbraco.Web.Security
};
return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, ioHelper, requestCache, authOptions, stage);
return app.UseUmbracoBackOfficeCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, hostingEnvironment, requestCache, authOptions, stage);
}
/// <summary>
@@ -210,14 +216,15 @@ namespace Umbraco.Web.Security
/// <param name="runtimeState"></param>
/// <param name="globalSettings"></param>
/// <param name="securitySettings"></param>
/// <param name="ioHelper"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <param name="cookieOptions">Custom auth cookie options can be specified to have more control over the cookie authentication logic</param>
/// <param name="stage">
/// Configurable pipeline stage
/// </param>
/// <returns></returns>
public static IAppBuilder UseUmbracoBackOfficeCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings,
ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache, CookieAuthenticationOptions cookieOptions, PipelineStage stage)
ISecuritySettings securitySettings, IHostingEnvironment hostingEnvironment, IRequestCache requestCache, CookieAuthenticationOptions cookieOptions, PipelineStage stage)
{
if (app == null) throw new ArgumentNullException(nameof(app));
if (runtimeState == null) throw new ArgumentNullException(nameof(runtimeState));
@@ -232,10 +239,11 @@ namespace Umbraco.Web.Security
//don't apply if app is not ready
if (runtimeState.Level != RuntimeLevel.Upgrade && runtimeState.Level != RuntimeLevel.Run) return app;
var backOfficePath = globalSettings.GetBackOfficePath(hostingEnvironment);
var cookieAuthOptions = app.CreateUmbracoCookieAuthOptions(
umbracoContextAccessor, globalSettings, runtimeState, securitySettings,
//This defines the explicit path read cookies from for this middleware
ioHelper, requestCache, new[] {$"{ioHelper.BackOfficePath}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds"});
hostingEnvironment, requestCache, new[] {$"{backOfficePath}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds"});
cookieAuthOptions.Provider = cookieOptions.Provider;
//This is a custom middleware, we need to return the user's remaining logged in seconds
@@ -310,13 +318,15 @@ namespace Umbraco.Web.Security
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="globalSettings"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <returns></returns>
/// <remarks>
/// By default this will be configured to execute on PipelineStage.Authenticate
/// </remarks>
public static IAppBuilder UseUmbracoBackOfficeExternalCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState,IGlobalSettings globalSettings, IIOHelper ioHelper, IRequestCache requestCache)
public static IAppBuilder UseUmbracoBackOfficeExternalCookieAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState,IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment, IRequestCache requestCache)
{
return app.UseUmbracoBackOfficeExternalCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, ioHelper, requestCache, PipelineStage.Authenticate);
return app.UseUmbracoBackOfficeExternalCookieAuthentication(umbracoContextAccessor, runtimeState, globalSettings, hostingEnvironment, requestCache, PipelineStage.Authenticate);
}
/// <summary>
@@ -327,16 +337,17 @@ namespace Umbraco.Web.Security
/// <param name="umbracoContextAccessor"></param>
/// <param name="runtimeState"></param>
/// <param name="globalSettings"></param>
/// <param name="ioHelper"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <param name="stage"></param>
/// <returns></returns>
public static IAppBuilder UseUmbracoBackOfficeExternalCookieAuthentication(this IAppBuilder app,
IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState,
IGlobalSettings globalSettings, IIOHelper ioHelper, IRequestCache requestCache, PipelineStage stage)
IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment, IRequestCache requestCache, PipelineStage stage)
{
if (app == null) throw new ArgumentNullException(nameof(app));
if (runtimeState == null) throw new ArgumentNullException(nameof(runtimeState));
if (ioHelper == null) throw new ArgumentNullException(nameof(ioHelper));
if (hostingEnvironment == null) throw new ArgumentNullException(nameof(hostingEnvironment));
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
@@ -345,7 +356,7 @@ namespace Umbraco.Web.Security
CookieName = Constants.Security.BackOfficeExternalCookieName,
ExpireTimeSpan = TimeSpan.FromMinutes(5),
//Custom cookie manager so we can filter requests
CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, ioHelper, requestCache),
CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, hostingEnvironment, globalSettings, requestCache),
CookiePath = "/",
CookieSecure = globalSettings.UseHttps ? CookieSecureOption.Always : CookieSecureOption.SameAsRequest,
CookieHttpOnly = true,
@@ -364,6 +375,8 @@ namespace Umbraco.Web.Security
/// <param name="globalSettings"></param>
/// <param name="securitySettings"></param>
/// <param name="ioHelper"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <returns></returns>
/// <remarks>
/// This ensures that during a preview request that the back office use is also Authenticated and that the back office Identity
@@ -372,9 +385,9 @@ namespace Umbraco.Web.Security
/// <remarks>
/// By default this will be configured to execute on PipelineStage.PostAuthenticate
/// </remarks>
public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache)
public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySettings securitySettings, IHostingEnvironment hostingEnvironment, IRequestCache requestCache)
{
return app.UseUmbracoPreviewAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, ioHelper, requestCache, PipelineStage.PostAuthenticate);
return app.UseUmbracoPreviewAuthentication(umbracoContextAccessor, runtimeState, globalSettings, securitySettings, hostingEnvironment, requestCache, PipelineStage.PostAuthenticate);
}
/// <summary>
@@ -386,18 +399,20 @@ namespace Umbraco.Web.Security
/// <param name="globalSettings"></param>
/// <param name="securitySettings"></param>
/// <param name="ioHelper"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <param name="stage"></param>
/// <returns></returns>
/// <remarks>
/// This ensures that during a preview request that the back office use is also Authenticated and that the back office Identity
/// is added as a secondary identity to the current IPrincipal so it can be used to Authorize the previewed document.
/// </remarks>
public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache, PipelineStage stage)
public static IAppBuilder UseUmbracoPreviewAuthentication(this IAppBuilder app, IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtimeState, IGlobalSettings globalSettings, ISecuritySettings securitySettings, IHostingEnvironment hostingEnvironment, IRequestCache requestCache, PipelineStage stage)
{
if (runtimeState.Level != RuntimeLevel.Run) return app;
var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySettings, ioHelper, requestCache);
app.Use(typeof(PreviewAuthenticationMiddleware), authOptions, ioHelper);
var authOptions = app.CreateUmbracoCookieAuthOptions(umbracoContextAccessor, globalSettings, runtimeState, securitySettings, hostingEnvironment, requestCache);
app.Use(typeof(PreviewAuthenticationMiddleware), authOptions, globalSettings, hostingEnvironment);
// This middleware must execute at least on PostAuthentication, by default it is on Authorize
// The middleware needs to execute after the RoleManagerModule executes which is during PostAuthenticate,
@@ -423,11 +438,13 @@ namespace Umbraco.Web.Security
/// <param name="globalSettings"></param>
/// <param name="runtimeState"></param>
/// <param name="securitySettings"></param>
/// <param name="hostingEnvironment"></param>
/// <param name="requestCache"></param>
/// <param name="explicitPaths"></param>
/// <returns></returns>
public static UmbracoBackOfficeCookieAuthOptions CreateUmbracoCookieAuthOptions(this IAppBuilder app,
IUmbracoContextAccessor umbracoContextAccessor,
IGlobalSettings globalSettings, IRuntimeState runtimeState, ISecuritySettings securitySettings, IIOHelper ioHelper, IRequestCache requestCache, string[] explicitPaths = null)
IGlobalSettings globalSettings, IRuntimeState runtimeState, ISecuritySettings securitySettings, IHostingEnvironment hostingEnvironment, IRequestCache requestCache, string[] explicitPaths = null)
{
//this is how aspnet wires up the default AuthenticationTicket protector so we'll use the same code
var ticketDataFormat = new TicketDataFormat(
@@ -440,9 +457,9 @@ namespace Umbraco.Web.Security
umbracoContextAccessor,
securitySettings,
globalSettings,
hostingEnvironment,
runtimeState,
ticketDataFormat,
ioHelper,
requestCache);
return authOptions;

9
src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
View File

@@ -11,6 +11,7 @@ using Umbraco.Core.IO;
using Umbraco.Core.Security;
using Umbraco.Core.Services;
using Umbraco.Core.Configuration.UmbracoSettings;
using Umbraco.Core.Hosting;
namespace Umbraco.Web.Security
{
@@ -19,15 +20,15 @@ namespace Umbraco.Web.Security
private readonly IUserService _userService;
private readonly IRuntimeState _runtimeState;
private readonly IGlobalSettings _globalSettings;
private readonly IIOHelper _ioHelper;
private readonly IHostingEnvironment _hostingEnvironment;
private readonly ISecuritySettings _securitySettings;
public BackOfficeCookieAuthenticationProvider(IUserService userService, IRuntimeState runtimeState, IGlobalSettings globalSettings, IIOHelper ioHelper, ISecuritySettings securitySettings)
public BackOfficeCookieAuthenticationProvider(IUserService userService, IRuntimeState runtimeState, IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment, ISecuritySettings securitySettings)
{
_userService = userService;
_runtimeState = runtimeState;
_globalSettings = globalSettings;
_ioHelper = ioHelper;
_hostingEnvironment = hostingEnvironment;
_securitySettings = securitySettings;
}
@@ -118,7 +119,7 @@ namespace Umbraco.Web.Security
protected virtual async Task EnsureValidSessionId(CookieValidateIdentityContext context)
{
if (_runtimeState.Level == RuntimeLevel.Run)
await SessionIdValidator.ValidateSessionAsync(TimeSpan.FromMinutes(1), context, _globalSettings, _ioHelper);
await SessionIdValidator.ValidateSessionAsync(TimeSpan.FromMinutes(1), context, _globalSettings, _hostingEnvironment);
}

20
src/Umbraco.Web/Security/BackOfficeCookieManager.cs
View File

@@ -7,6 +7,7 @@ using Microsoft.Owin.Infrastructure;
using Umbraco.Core;
using Umbraco.Core.Cache;
using Umbraco.Core.Configuration;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;
using Umbraco.Core.Security;
@@ -23,23 +24,26 @@ namespace Umbraco.Web.Security
{
private readonly IUmbracoContextAccessor _umbracoContextAccessor;
private readonly IRuntimeState _runtime;
private readonly IIOHelper _ioHelper;
private readonly IHostingEnvironment _hostingEnvironment;
private readonly IGlobalSettings _globalSettings;
private readonly IRequestCache _requestCache;
private readonly string[] _explicitPaths;
private readonly string _getRemainingSecondsPath;
public BackOfficeCookieManager(IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtime, IIOHelper ioHelper, IRequestCache requestCache)
: this(umbracoContextAccessor, runtime, ioHelper,requestCache, null)
public BackOfficeCookieManager(IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtime, IHostingEnvironment hostingEnvironment, IGlobalSettings globalSettings, IRequestCache requestCache)
: this(umbracoContextAccessor, runtime, hostingEnvironment, globalSettings, requestCache, null)
{ }
public BackOfficeCookieManager(IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtime, IIOHelper ioHelper, IRequestCache requestCache, IEnumerable<string> explicitPaths)
public BackOfficeCookieManager(IUmbracoContextAccessor umbracoContextAccessor, IRuntimeState runtime, IHostingEnvironment hostingEnvironment, IGlobalSettings globalSettings, IRequestCache requestCache, IEnumerable<string> explicitPaths)
{
_umbracoContextAccessor = umbracoContextAccessor;
_runtime = runtime;
_ioHelper = ioHelper;
_hostingEnvironment = hostingEnvironment;
_globalSettings = globalSettings;
_requestCache = requestCache;
_explicitPaths = explicitPaths?.ToArray();
_getRemainingSecondsPath = $"{ioHelper.BackOfficePath}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds";
var backOfficePath = _globalSettings.GetBackOfficePath(_hostingEnvironment);
_getRemainingSecondsPath = $"{backOfficePath}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds";
}
/// <summary>
@@ -103,9 +107,9 @@ namespace Umbraco.Web.Security
(checkForceAuthTokens && owinContext.Get<bool?>(Constants.Security.ForceReAuthFlag) != null)
|| (checkForceAuthTokens && _requestCache.IsAvailable && _requestCache.Get(Constants.Security.ForceReAuthFlag) != null)
//check back office
|| request.Uri.IsBackOfficeRequest(HttpRuntime.AppDomainAppVirtualPath, _ioHelper)
|| request.Uri.IsBackOfficeRequest(_globalSettings, _hostingEnvironment)
//check installer
|| request.Uri.IsInstallerRequest(_ioHelper))
|| request.Uri.IsInstallerRequest(_hostingEnvironment))
{
return true;
}

9
src/Umbraco.Web/Security/GetUserSecondsMiddleWare.cs
View File

@@ -8,6 +8,7 @@ using Microsoft.Owin.Logging;
using Umbraco.Core;
using Umbraco.Core.Configuration;
using Umbraco.Core.Configuration.UmbracoSettings;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;
using Umbraco.Core.Security;
@@ -27,7 +28,7 @@ namespace Umbraco.Web.Security
private readonly IGlobalSettings _globalSettings;
private readonly ISecuritySettings _security;
private readonly ILogger _logger;
private readonly IIOHelper _ioHelper;
private readonly IHostingEnvironment _hostingEnvironment;
public GetUserSecondsMiddleWare(
OwinMiddleware next,
@@ -35,14 +36,14 @@ namespace Umbraco.Web.Security
IGlobalSettings globalSettings,
ISecuritySettings security,
ILogger logger,
IIOHelper ioHelper)
IHostingEnvironment hostingEnvironment)
: base(next)
{
_authOptions = authOptions ?? throw new ArgumentNullException(nameof(authOptions));
_globalSettings = globalSettings;
_security = security;
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_ioHelper = ioHelper;
_hostingEnvironment = hostingEnvironment;
}
public override async Task Invoke(IOwinContext context)
@@ -52,7 +53,7 @@ namespace Umbraco.Web.Security
if (request.Uri.Scheme.InvariantStartsWith("http")
&& request.Uri.AbsolutePath.InvariantEquals(
$"{_ioHelper.BackOfficePath}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds"))
$"{_globalSettings.GetBackOfficePath(_hostingEnvironment)}/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds"))
{
var cookie = _authOptions.CookieManager.GetRequestCookie(context, _security.AuthCookieName);
if (cookie.IsNullOrWhiteSpace() == false)

12
src/Umbraco.Web/Security/PreviewAuthenticationMiddleware.cs
View File

@@ -4,6 +4,7 @@ using System.Web;
using Microsoft.Owin;
using Umbraco.Core;
using Umbraco.Core.Configuration;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;
using Umbraco.Core.Security;
@@ -12,7 +13,8 @@ namespace Umbraco.Web.Security
internal class PreviewAuthenticationMiddleware : OwinMiddleware
{
private readonly UmbracoBackOfficeCookieAuthOptions _cookieOptions;
private readonly IIOHelper _ioHelper;
private readonly IGlobalSettings _globalSettings;
private readonly IHostingEnvironment _hostingEnvironment;
/// <summary>
/// Instantiates the middleware with an optional pointer to the next component.
@@ -20,11 +22,13 @@ namespace Umbraco.Web.Security
/// <param name="next"/>
/// <param name="cookieOptions"></param>
/// <param name="globalSettings"></param>
/// <param name="hostingEnvironment"></param>
public PreviewAuthenticationMiddleware(OwinMiddleware next,
UmbracoBackOfficeCookieAuthOptions cookieOptions, IIOHelper ioHelper) : base(next)
UmbracoBackOfficeCookieAuthOptions cookieOptions, IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment) : base(next)
{
_cookieOptions = cookieOptions;
_ioHelper = ioHelper;
_globalSettings = globalSettings;
_hostingEnvironment = hostingEnvironment;
}
/// <summary>
@@ -41,7 +45,7 @@ namespace Umbraco.Web.Security
var isPreview = request.HasPreviewCookie()
&& claimsPrincipal != null
&& request.Uri != null
&& request.Uri.IsBackOfficeRequest(HttpRuntime.AppDomainAppVirtualPath, _ioHelper) == false;
&& request.Uri.IsBackOfficeRequest(_globalSettings, _hostingEnvironment) == false;
if (isPreview)
{
//If we've gotten this far it means a preview cookie has been set and a front-end umbraco document request is executing.

5
src/Umbraco.Web/Security/SessionIdValidator.cs
View File

@@ -9,6 +9,7 @@ using Microsoft.Owin.Infrastructure;
using Microsoft.Owin.Security.Cookies;
using Umbraco.Core;
using Umbraco.Core.Configuration;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;
using Constants = Umbraco.Core.Constants;
@@ -29,9 +30,9 @@ namespace Umbraco.Web.Security
{
public const string CookieName = "UMB_UCONTEXT_C";
public static async Task ValidateSessionAsync(TimeSpan validateInterval, CookieValidateIdentityContext context, IGlobalSettings globalSettings, IIOHelper ioHelper)
public static async Task ValidateSessionAsync(TimeSpan validateInterval, CookieValidateIdentityContext context, IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment)
{
if (context.Request.Uri.IsBackOfficeRequest(HttpRuntime.AppDomainAppVirtualPath, ioHelper) == false)
if (context.Request.Uri.IsBackOfficeRequest(globalSettings, hostingEnvironment) == false)
return;
var valid = await ValidateSessionAsync(validateInterval, context.OwinContext, context.Options.CookieManager, context.Options.SystemClock, context.Properties.IssuedUtc, context.Identity, globalSettings);

5
src/Umbraco.Web/Security/UmbracoBackOfficeCookieAuthOptions.cs
View File

@@ -6,6 +6,7 @@ using Umbraco.Core;
using Umbraco.Core.Cache;
using Umbraco.Core.Configuration;
using Umbraco.Core.Configuration.UmbracoSettings;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;
namespace Umbraco.Web.Security
@@ -22,9 +23,9 @@ namespace Umbraco.Web.Security
IUmbracoContextAccessor umbracoContextAccessor,
ISecuritySettings securitySettings,
IGlobalSettings globalSettings,
IHostingEnvironment hostingEnvironment,
IRuntimeState runtimeState,
ISecureDataFormat<AuthenticationTicket> secureDataFormat,
IIOHelper ioHelper,
IRequestCache requestCache)
{
var secureDataFormat1 = secureDataFormat ?? throw new ArgumentNullException(nameof(secureDataFormat));
@@ -42,7 +43,7 @@ namespace Umbraco.Web.Security
TicketDataFormat = new UmbracoSecureDataFormat(LoginTimeoutMinutes, secureDataFormat1);
//Custom cookie manager so we can filter requests
CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, ioHelper, requestCache, explicitPaths);
CookieManager = new BackOfficeCookieManager(umbracoContextAccessor, runtimeState, hostingEnvironment, globalSettings, requestCache, explicitPaths);
}
/// <summary>

13
src/Umbraco.Web/Security/WebSecurity.cs
View File

@@ -8,6 +8,7 @@ using Umbraco.Core.Models.Membership;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Umbraco.Core.Configuration;
using Umbraco.Core.Hosting;
using Umbraco.Core.IO;
using Umbraco.Core.Models;
using Umbraco.Web.Models.Identity;
@@ -23,14 +24,14 @@ namespace Umbraco.Web.Security
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly IUserService _userService;
private readonly IGlobalSettings _globalSettings;
private readonly IIOHelper _ioHelper;
private readonly IHostingEnvironment _hostingEnvironment;
public WebSecurity(IHttpContextAccessor httpContextAccessor, IUserService userService, IGlobalSettings globalSettings, IIOHelper ioHelper)
public WebSecurity(IHttpContextAccessor httpContextAccessor, IUserService userService, IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment)
{
_httpContextAccessor = httpContextAccessor;
_userService = userService;
_globalSettings = globalSettings;
_ioHelper = ioHelper;
_hostingEnvironment = hostingEnvironment;
}
private IUser _currentUser;
@@ -145,7 +146,7 @@ namespace Umbraco.Web.Security
var user = CurrentUser;
// Check for console access
if (user == null || (requiresApproval && user.IsApproved == false) || (user.IsLockedOut && RequestIsInUmbracoApplication(_httpContextAccessor, _globalSettings, _ioHelper)))
if (user == null || (requiresApproval && user.IsApproved == false) || (user.IsLockedOut && RequestIsInUmbracoApplication(_httpContextAccessor, _globalSettings, _hostingEnvironment)))
{
if (throwExceptions) throw new ArgumentException("You have no privileges to the umbraco console. Please contact your administrator");
return ValidateRequestAttempt.FailedNoPrivileges;
@@ -154,9 +155,9 @@ namespace Umbraco.Web.Security
}
private static bool RequestIsInUmbracoApplication(IHttpContextAccessor httpContextAccessor, IGlobalSettings globalSettings, IIOHelper ioHelper)
private static bool RequestIsInUmbracoApplication(IHttpContextAccessor httpContextAccessor, IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment)
{
return httpContextAccessor.GetRequiredHttpContext().Request.Path.ToLower().IndexOf(ioHelper.ResolveUrl(globalSettings.UmbracoPath).ToLower(), StringComparison.Ordinal) > -1;
return httpContextAccessor.GetRequiredHttpContext().Request.Path.ToLower().IndexOf(hostingEnvironment.ToAbsolute(globalSettings.UmbracoPath).ToLower(), StringComparison.Ordinal) > -1;
}
/// <summary>